KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4

[Tom Parker]

Hi Russ

No.  I don't.  The only thing that has changed between working and 
broken is the upgrade of the krb5 packages from 1.8.3 to 1.9.1

Here is my client side krb5.conf

[libdefaults]
         default_realm = LS.CBN

         # This line has to be somewhere or the krb5kdc init script will 
fail.
         db_library = kldap

         forwardable = true

[realms]
         LS.CBN = {
                 admin_server = kerberos-adm.ls.cbn

                 default_domain = ls.cbn

                 auth_to_local = RULE:[1:$1@$0]
                 auth_to_local = RULE:[2:$1@$0]
         }

[domain_realm]

[logging]
     #kdc = FILE:/var/log/krb5/krb5kdc.log
     #admin_server = FILE:/var/log/krb5/kadmind.log
     #default = SYSLOG:NOTICE:DAEMON


On 11/18/2011 04:13 PM, Russ Allbery wrote:
> Tom Parker<tparker at cbnco.com>  writes:
>
>> Good Afternoon.
>> I have two KDCs and my DNS servers are pointing to both of them with
>> equal weight.   Both KDCs are running 1.9.1.
>> _kerberos._udp          IN SRV  10 0 88<server 1>
>> _kerberos._udp          IN SRV  10 0 88<server 2>
>> We are using Russ's pam-krb5 module version 4.4 compiled against krb
>> 1.8.3.
>> The problem I have is that if I update my client from 1.8.3 to 1.9.1 my
>> High Availability breaks.  A 1.9.1 client will not successfully
>> authenticate if one of my KDCs is down.  My 1.8.3 clients work fine.
> Just to double-check, you don't set dns_lookup_kdc to false in your
> krb5.conf file, do you?
>